SINGAPORE/WASHINGTON/LONDON – Asian governments and businesses reported some disruptions from the “WannaCry” ransomware worm Monday but cybersecurity experts warned of a wider impact as more employees turned on their computers and checked emails.
The ransomware that has locked up more than 200,000 computers in more than 150 countries has been mainly spread by email, hitting factories, hospitals, shops and schools worldwide.
“Most of the attacks are arriving via email, so there are many ‘land mines’ waiting in people’s in-boxes,” said Michael Gazeley, managing director of Network Box, a Hong Kong-based cybersecurity company.
In China, the world’s second-largest economy, energy giant PetroChina said payment systems at some of its gas stations were hit, although it had been able to restore most of the systems. Several Chinese government bodies, including police and traffic authorities, reported they had been impacted by the hack, according to posts on official microblogs.
The official China Daily newspaper, citing Chinese tech firm Qihoo 360, said that at least 200,000 computers had been affected in China, with schools and colleges particularly hard-hit.
A spokesman for the Hong Kong Exchanges and Clearing, one of the region’s biggest bourses, said all systems were so far working normally. “We remain highly vigilant,” he said.
Companies have warned users and staff not to click on attachments or links. One school in South Korea barred its pupils from using the internet. Taiwan’s government appeared to have escaped major infection, possibly because regulations there require all departments to install software updates as soon as they are available.
South Korea’s presidential Blue House office said nine cases of ransomware were found in the country, but did not provide details on where the cyberattacks were discovered.
In Australia, Dan Tehan, the government minister responsible for cybersecurity, said just three businesses had been hit by the bug, despite worries of widespread infection. There were no reported cases in New Zealand.
Cybersecurity experts said the spread of the ransomware had slowed since its appearance Friday but that the respite might only be brief.
For one thing, the attackers or copycat attackers may have developed new versions of the worm, although a British-based security researcher who thwarted an earlier version of the worm said most of these reports had been proven false.
In Hong Kong, Gazeley said his team had found a new version of the worm that didn’t use email to lure victims.
Instead, it loaded scripts onto hacked websites where users who clicked on a malicious link would be infected directly. He said it was too early to tell how many websites had been affected.
Gazeley added that several major companies in Asia had been hit by the ransomware, but “the last thing they want to do is come out in public and admit it.” He declined to elaborate.
The initial “WannaCry” attack had paralyzed computers that run Britain’s hospital network, Germany’s national railway and scores of other companies and government agencies worldwide in what was believed to be the biggest online extortion scheme ever.
Microsoft blamed the U.S. government for “stockpiling” software code that was used by unknown hackers to launch the attacks. The hackers exploited software code from the National Security Agency that leaked online.
The company’s top lawyer said the government should report weaknesses they discover to software companies rather than seek to exploit them.
“An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” attorney Brad Smith wrote on Microsoft’s blog.
The nonprofit U.S. Cyber Consequences Unit research institute estimated that total losses would range in the hundreds of millions of dollars, but not exceed $1 billion.
Most victims were quickly able to recover infected systems with backups, said the group’s chief economist, Scott Borg.
Infected computers appear to largely be out-of-date devices that organizations deemed not worth the price of upgrading or, in some cases, machines involved in manufacturing or hospital functions that proved too difficult to patch without possibly disrupting crucial operations, security experts said.
Microsoft released patches last month and Friday to fix a vulnerability that allowed the worm to spread across networks, a rare and powerful feature that caused infections to surge on Friday.
But new variants of the rapidly replicating worm were discovered Sunday and one did not include the so-called kill switch that allowed researchers to interrupt its spread Friday by diverting it to a dead end on the internet.
Ryan Kalember, senior vice president at Proofpoint Inc. which helped stop its spread, said the version without a kill switch was able to spread but was benign because it contained a flaw that wouldn’t allow it to take over a computer and demand ransom to unlock files. However, he said it’s only a matter of time before a malevolent version exists.
“I still expect another to pop up and be fully operational,” Kalember said. “We haven’t fully dodged this bullet at all until we’re patched against the vulnerability itself.”
The attack held users hostage by freezing their computers, popping up a red screen with the words, “Oops, your files have been encrypted!” and demanding money through online bitcoin payment — $300 at first, rising to $600 before it destroys files hours later.
The ransomware attack was particularly malicious, because if just one person in an organization clicked on an infected attachment or bad link, all the computers in a network would be infected, said Vikram Thakur, technical director of Symantec Security Response.
“That’s what makes this more troubling than ransomware was a week ago,” Thakur said.